- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - Linux
- >
- Re: openvpn routing
Operating System - Linux
1752614
Members
4807
Online
108788
Solutions
Forums
Categories
Company
Local Language
юдл
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
юдл
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-08-2011 12:47 PM
тАО04-08-2011 12:47 PM
openvpn routing
Hi there
I have the openvpn server installed end running.
Clients are connecting fine.
I did the following to the firewall and forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -s 10.10.0.0/16 -j MASQUERADE -t nat
iptables -A FORWARD -s 10.10.0.0/16 -j ACCEPT
And I can ping only the 10.10.0.4 server which is the openvpn serwer.
Can anyone please tell me why would that be ?
Regards
Peter
I have the openvpn server installed end running.
Clients are connecting fine.
I did the following to the firewall and forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A POSTROUTING -s 10.10.0.0/16 -j MASQUERADE -t nat
iptables -A FORWARD -s 10.10.0.0/16 -j ACCEPT
And I can ping only the 10.10.0.4 server which is the openvpn serwer.
Can anyone please tell me why would that be ?
Regards
Peter
Jesus is the King
4 REPLIES 4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-08-2011 06:15 PM
тАО04-08-2011 06:15 PM
Re: openvpn routing
Peter,
There is a lot more to this, there is actual openvpn config as well as iptables (since you are using it) config to make this work.
Provide an overview of your topology including subnets to make this easy to answer as well as openvpn versions.
But basically, if you are not interested in making site-to-site connections but instead want only to allow the clients connectivity then if you are using tun devices the traffic appears on the openvpn server from the point-to-point tunnel ip that the openvpn process sets up. So you must provide routing (most easily accomplished by a server side push statement) to expose the remote server side subnet over the p-t-p tunnel to the client, and allow this via iptables and server side routing as well possibly.
As you are masq'ing traffic, I need to know more details before I can really comment specifically.
There is a lot more to this, there is actual openvpn config as well as iptables (since you are using it) config to make this work.
Provide an overview of your topology including subnets to make this easy to answer as well as openvpn versions.
But basically, if you are not interested in making site-to-site connections but instead want only to allow the clients connectivity then if you are using tun devices the traffic appears on the openvpn server from the point-to-point tunnel ip that the openvpn process sets up. So you must provide routing (most easily accomplished by a server side push statement) to expose the remote server side subnet over the p-t-p tunnel to the client, and allow this via iptables and server side routing as well possibly.
As you are masq'ing traffic, I need to know more details before I can really comment specifically.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2011 09:02 AM
тАО04-09-2011 09:02 AM
Re: openvpn routing
eth0 Link encap:Ethernet HWaddr 00:0x:xx:xx:xx:xx
inet addr:10.10.0.4 Bcast:10.10.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:213683 errors:0 dropped:0 overruns:0 frame:0
TX packets:142459 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:243448843 (232.1 MiB) TX bytes:58282203 (55.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10007 errors:0 dropped:0 overruns:0 frame:0
TX packets:10007 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1157484 (1.1 MiB) TX bytes:1157484 (1.1 MiB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.25.25.1 P-t-P:10.25.25.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1936 errors:0 dropped:0 overruns:0 frame:0
TX packets:1972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:206539 (201.6 KiB) TX bytes:1373185 (1.3 MiB)
openvpn.conf
port 1725
proto udp
dev tun1
script-security 3 system
ca /etc/openvpn/vpn/ca.crt
cert /etc/openvpn/vpn/vpn.crt
key /etc/openvpn/vpn/vpn.key
dh /etc/openvpn/vpn001bri/dh-vpn.pem
server 10.25.25.0 255.255.255.0
up "/etc/openvpn/vpn/serverup.sh vpn"
down "/etc/openvpn/vpn/serverdown.sh vpn"
down-pre
ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt
topology subnet
keepalive 10 120
tls-server
tls-auth /etc/openvpn/vpn/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 30
user root
group root
persist-key
persist-tun
status-version 2
status /etc/openvpn/logs/openvpn-status.log
log /etc/openvpn/logs/openvpn-vpn.log
crl-verify /etc/openvpn/vpn/crl.pem
verb 3
mute 20
management 127.0.0.1 10002
push "route 10.10.0.0 255.255.255.0"
[root@vpn001bri ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.25.25.0 * 255.255.255.0 U 0 0 0 tun1
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 10.10.0.1 0.0.0.0 UG 0 0 0 eth0
inet addr:10.10.0.4 Bcast:10.10.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:213683 errors:0 dropped:0 overruns:0 frame:0
TX packets:142459 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:243448843 (232.1 MiB) TX bytes:58282203 (55.5 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10007 errors:0 dropped:0 overruns:0 frame:0
TX packets:10007 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1157484 (1.1 MiB) TX bytes:1157484 (1.1 MiB)
tun1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.25.25.1 P-t-P:10.25.25.1 Mask:255.255.255.0
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1936 errors:0 dropped:0 overruns:0 frame:0
TX packets:1972 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:206539 (201.6 KiB) TX bytes:1373185 (1.3 MiB)
openvpn.conf
port 1725
proto udp
dev tun1
script-security 3 system
ca /etc/openvpn/vpn/ca.crt
cert /etc/openvpn/vpn/vpn.crt
key /etc/openvpn/vpn/vpn.key
dh /etc/openvpn/vpn001bri/dh-vpn.pem
server 10.25.25.0 255.255.255.0
up "/etc/openvpn/vpn/serverup.sh vpn"
down "/etc/openvpn/vpn/serverdown.sh vpn"
down-pre
ifconfig-pool-persist /etc/openvpn/vpn/ipp.txt
topology subnet
keepalive 10 120
tls-server
tls-auth /etc/openvpn/vpn/ta.key 0
cipher AES-128-CBC
comp-lzo
max-clients 30
user root
group root
persist-key
persist-tun
status-version 2
status /etc/openvpn/logs/openvpn-status.log
log /etc/openvpn/logs/openvpn-vpn.log
crl-verify /etc/openvpn/vpn/crl.pem
verb 3
mute 20
management 127.0.0.1 10002
push "route 10.10.0.0 255.255.255.0"
[root@vpn001bri ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.25.25.0 * 255.255.255.0 U 0 0 0 tun1
10.10.0.0 * 255.255.0.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 10.10.0.1 0.0.0.0 UG 0 0 0 eth0
Jesus is the King
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2011 09:07 AM
тАО04-09-2011 09:07 AM
Re: openvpn routing
Topology:
vpn_client
|
|
THE INTERNET
|
|
Linksys WRT54GL(DD-WRT Firmware)
|
|
OPENVPN(10.10.0.4) + OTHERSERVER(10.10.0.5)
The vpn_client can ping 10.10.0.4 but not 10.10.0.5
vpn_client
|
|
THE INTERNET
|
|
Linksys WRT54GL(DD-WRT Firmware)
|
|
OPENVPN(10.10.0.4) + OTHERSERVER(10.10.0.5)
The vpn_client can ping 10.10.0.4 but not 10.10.0.5
Jesus is the King
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО04-09-2011 09:36 AM
тАО04-09-2011 09:36 AM
Re: openvpn routing
Peter,
Here is what i see:
I assume the openvpn version on the server is recent from some of the options, but you never stated, also don't know what the client version is. I don't know what's in your scripts either.
1. You are using Tun devices and in routing mode, so no need to masq traffic, proper routes and iptables will do it!
2. You're internal network on the vpn server is accessible via eth0 10.10.0.4/16, yet your vpn server config pushes a /24 route. Not good, change your server conf to:
push "route 10.10.0.0 255.255.0.0"
3. Route table on vpn server looks good. Client is obviously wrong as per server conf.
4. What is left is the potential for any iptables changes on the server, correct the push/route and send a redacted copy of the iptabels rules.
HTH
Here is what i see:
I assume the openvpn version on the server is recent from some of the options, but you never stated, also don't know what the client version is. I don't know what's in your scripts either.
1. You are using Tun devices and in routing mode, so no need to masq traffic, proper routes and iptables will do it!
2. You're internal network on the vpn server is accessible via eth0 10.10.0.4/16, yet your vpn server config pushes a /24 route. Not good, change your server conf to:
push "route 10.10.0.0 255.255.0.0"
3. Route table on vpn server looks good. Client is obviously wrong as per server conf.
4. What is left is the potential for any iptables changes on the server, correct the push/route and send a redacted copy of the iptabels rules.
HTH
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
News and Events
Support
© Copyright 2024 Hewlett Packard Enterprise Development LP